[wp-hackers] Should OpenID be in WP core?

Mark Jaquith mark.wordpress at txfx.net
Sun Mar 11 21:43:38 GMT 2007

On Mar 11, 2007, at 1:57 PM, Martin Fitzpatrick wrote:

> characters in your password" (or similar) style protection in use
> instead. It would seem less hassle (and as secure?) to displays a
> message known only to the user / OpenID so the *server* can confirm it
> is the real thing to the user. This is one of those places where the
> trust needs to be proved in both directions...

Such a solution, used by banks and others, only works if the username  
in question is a secret.  You provide the username, they provide some  
piece of "trust" back to you based on the username, and then you know  
you can provide your password.

OpenID depends on your username being publicly available.  So  
everyone knows that my OpenID is markjaquith.com  Thus, any trust  
token shown to me at my login prompt could be spidered by phishers.

Refusal to show the login prompt unless you manually type in the  
address is a pretty good solution.  Like the trust token, it gets  
people used to a certain behavior.  (a) they see their trust token,  
then they enter their password.  (b) they type in their OpenID  
provider's URL, and they enter their password.  Either way, you're  
trying to get people so used to doing it the safe way that when it  
changes, their brain slams on the brakes.

Mark Jaquith

Covered Web Services

More information about the wp-hackers mailing list